From 4f7fd9bf48f32fefa594d6e271441fa1a2186cff Mon Sep 17 00:00:00 2001 From: Manuel Huber Date: Tue, 1 Aug 2023 00:31:17 +0000 Subject: [PATCH 1/6] Enable SNP=on with CH conf-guest enabled and add dummy host_data value --- src/runtime/virtcontainers/clh.go | 29 ++++++++++---- .../cloud-hypervisor/client/api/openapi.yaml | 11 +++++ .../client/model_payload_config.go | 35 ++++++++++++++++ .../client/model_platform_config.go | 40 +++++++++++++++++++ .../cloud-hypervisor/cloud-hypervisor.yaml | 5 +++ 5 files changed, 112 insertions(+), 8 deletions(-) diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go index 809965e22d3c..d81be8ef21b0 100644 --- a/src/runtime/virtcontainers/clh.go +++ b/src/runtime/virtcontainers/clh.go @@ -83,6 +83,7 @@ const ( clhAPISocket = "clh-api.sock" virtioFsSocket = "virtiofsd.sock" defaultClhPath = "/usr/local/bin/cloud-hypervisor" + snpHostDataDummy = "0123456789012345678901234567890123456789012345678901234567890123" ) // Interface that hides the implementation of openAPI client @@ -430,10 +431,18 @@ func (clh *cloudHypervisor) enableProtection() error { return nil + case snpProtection: + if clh.vmconfig.Platform == nil { + clh.vmconfig.Platform = chclient.NewPlatformConfig() + } + clh.vmconfig.Platform.SetSnp(true) + + clh.vmconfig.Payload.SetHostData(snpHostDataDummy) + + return nil + case sevProtection: return errors.New("SEV protection is not supported by Cloud Hypervisor") - case snpProtection: - return errors.New("SEV-SNP protection is not supported by Cloud Hypervisor") default: return nil @@ -485,24 +494,28 @@ func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Net if err != nil { return err } - clh.vmconfig.Payload.SetIgvm(igvmPath) // Make sure the kernel path is valid if no igvm set if igvmPath == "" { + if clh.config.ConfidentialGuest { + return errors.New("igvm must be set with confidential_guest") + } kernelPath, err := clh.config.KernelAssetPath() if err != nil { return err } clh.vmconfig.Payload.SetKernel(kernelPath) + } else { + if !clh.config.ConfidentialGuest { + return errors.New("igvm can only be set with confidential_guest") + } + clh.vmconfig.Payload.SetIgvm(igvmPath) } if clh.config.ConfidentialGuest { if err := clh.enableProtection(); err != nil { return err } - if igvmPath == "" { - return errors.New("igvm must be set with confidential_guest") - } } // Create the VM memory config via the constructor to ensure default values are properly assigned @@ -580,8 +593,8 @@ func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Net clh.vmconfig.Pmem = &[]chclient.PmemConfig{*pmem} } } - } - + } + initrdPath, err := clh.config.InitrdAssetPath() if err != nil { return err diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml index 3b7fb662b90d..ae806161db74 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml @@ -626,6 +626,7 @@ components: - oem_strings - oem_strings tdx: false + snp: false serial_number: serial_number uuid: uuid tpm: @@ -650,6 +651,7 @@ components: kernel: kernel initramfs: initramfs igvm: igvm + host_data: host_data firmware: firmware serial: mode: "false" @@ -785,6 +787,7 @@ components: kernel: kernel initramfs: initramfs igvm: igvm + host_data: host_data firmware: firmware properties: firmware: @@ -797,6 +800,8 @@ components: type: string igvm: type: string + host_data: + type: string type: object VmConfig: description: Virtual machine configuration @@ -992,6 +997,7 @@ components: - oem_strings - oem_strings tdx: false + snp: false serial_number: serial_number uuid: uuid tpm: @@ -1016,6 +1022,7 @@ components: kernel: kernel initramfs: initramfs igvm: igvm + host_data: host_data firmware: firmware serial: mode: "false" @@ -1225,6 +1232,7 @@ components: - oem_strings - oem_strings tdx: false + snp: false serial_number: serial_number uuid: uuid properties: @@ -1247,6 +1255,9 @@ components: tdx: default: false type: boolean + snp: + default: false + type: boolean type: object MemoryZoneConfig: example: diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_payload_config.go b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_payload_config.go index 84b98d5ce872..da196dac078c 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_payload_config.go +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_payload_config.go @@ -21,6 +21,7 @@ type PayloadConfig struct { Cmdline *string `json:"cmdline,omitempty"` Initramfs *string `json:"initramfs,omitempty"` Igvm *string `json:"igvm,omitempty"` + HostData *string `json:"host_data,omitempty"` } // NewPayloadConfig instantiates a new PayloadConfig object @@ -72,6 +73,37 @@ func (o *PayloadConfig) SetIgvm(v string) { o.Igvm = &v } +// GetHostData returns the HostData field value if set, zero value otherwise. +func (o *PayloadConfig) GetHostData() string { + if o == nil || o.HostData == nil { + var ret string + return ret + } + return *o.HostData +} + +// GetHostDataOk returns a tuple with the HostData field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *PayloadConfig) GetHostDataOk() (*string, bool) { + if o == nil || o.HostData == nil { + return nil, false + } + return o.HostData, true +} + +// HasHostData returns a boolean if a field has been set. +func (o *PayloadConfig) HasHostData() bool { + if o != nil && o.HostData != nil { + return true + } + + return false +} + +// SetHostData gets a reference to the given string and assigns it to the HostData field. +func (o *PayloadConfig) SetHostData(v string) { + o.HostData = &v +} // GetFirmware returns the Firmware field value if set, zero value otherwise. func (o *PayloadConfig) GetFirmware() string { @@ -206,6 +238,9 @@ func (o PayloadConfig) MarshalJSON() ([]byte, error) { if o.Igvm != nil { toSerialize["igvm"] = o.Igvm } + if o.HostData != nil { + toSerialize["host_data"] = o.HostData + } if o.Firmware != nil { toSerialize["firmware"] = o.Firmware } diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_platform_config.go b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_platform_config.go index 3072f0bd31d7..b55d6c9149a4 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_platform_config.go +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_platform_config.go @@ -22,6 +22,7 @@ type PlatformConfig struct { Uuid *string `json:"uuid,omitempty"` OemStrings *[]string `json:"oem_strings,omitempty"` Tdx *bool `json:"tdx,omitempty"` + Snp *bool `json:"snp,omitempty"` } // NewPlatformConfig instantiates a new PlatformConfig object @@ -32,6 +33,8 @@ func NewPlatformConfig() *PlatformConfig { this := PlatformConfig{} var tdx bool = false this.Tdx = &tdx + var snp bool = false + this.Snp = &snp return &this } @@ -42,6 +45,8 @@ func NewPlatformConfigWithDefaults() *PlatformConfig { this := PlatformConfig{} var tdx bool = false this.Tdx = &tdx + var snp bool = false + this.Snp = &snp return &this } @@ -237,6 +242,38 @@ func (o *PlatformConfig) SetTdx(v bool) { o.Tdx = &v } +// GetSnp returns the Snp field value if set, zero value otherwise. +func (o *PlatformConfig) GetSnp() bool { + if o == nil || o.Snp == nil { + var ret bool + return ret + } + return *o.Snp +} + +// GetSnpOk returns a tuple with the Snp field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *PlatformConfig) GetSnpOk() (*bool, bool) { + if o == nil || o.Snp == nil { + return nil, false + } + return o.Snp, true +} + +// HasSnp returns a boolean if a field has been set. +func (o *PlatformConfig) HasSnp() bool { + if o != nil && o.Snp != nil { + return true + } + + return false +} + +// SetSnp gets a reference to the given bool and assigns it to the Snp field. +func (o *PlatformConfig) SetSnp(v bool) { + o.Snp = &v +} + func (o PlatformConfig) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} if o.NumPciSegments != nil { @@ -257,6 +294,9 @@ func (o PlatformConfig) MarshalJSON() ([]byte, error) { if o.Tdx != nil { toSerialize["tdx"] = o.Tdx } + if o.Snp != nil { + toSerialize["snp"] = o.Snp + } return json.Marshal(toSerialize) } diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml b/src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml index f2adad0b6121..cd93408e8793 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml @@ -517,6 +517,8 @@ components: type: string igvm: type: string + host_data: + type: string description: Payloads to boot in guest VmConfig: @@ -662,6 +664,9 @@ components: tdx: type: boolean default: false + snp: + type: boolean + default: false MemoryZoneConfig: required: From 697531888ad28d6b5b4417d1a25cc6a03dc6b92c Mon Sep 17 00:00:00 2001 From: Manuel Huber Date: Tue, 1 Aug 2023 00:55:21 +0000 Subject: [PATCH 2/6] Add IGVM, HostData, Snp to config markdown doc --- .../client/docs/PayloadConfig.md | 59 +++++++++++++++++-- .../client/docs/PlatformConfig.md | 35 +++++++++-- 2 files changed, 85 insertions(+), 9 deletions(-) diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/PayloadConfig.md b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/PayloadConfig.md index 096584a8fe43..f69a0b587c3c 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/PayloadConfig.md +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/PayloadConfig.md @@ -4,10 +4,12 @@ Name | Type | Description | Notes ------------ | ------------- | ------------- | ------------- -**Firmware** | Pointer to **string** | | [optional] -**Kernel** | Pointer to **string** | | [optional] -**Cmdline** | Pointer to **string** | | [optional] -**Initramfs** | Pointer to **string** | | [optional] +**Firmware** | Pointer to **string** | | [optional] +**Kernel** | Pointer to **string** | | [optional] +**Cmdline** | Pointer to **string** | | [optional] +**Initramfs** | Pointer to **string** | | [optional] +**Igvm** | Pointer to **string** | | [optional] +**HostData** | Pointer to **string** | | [optional] ## Methods @@ -128,6 +130,55 @@ SetInitramfs sets Initramfs field to given value. HasInitramfs returns a boolean if a field has been set. +### GetIgvm + +`func (o *PayloadConfig) GetIgvm() string` + +GetIgvm returns the Igvm field if non-nil, zero value otherwise. + +### GetIgvmOk + +`func (o *PayloadConfig) GetIgvmOk() (*string, bool)` + +GetIgvmOk returns a tuple with the Igvm field if it's non-nil, zero value otherwise +and a boolean to check if the value has been set. + +### SetIgvm + +`func (o *PayloadConfig) SetIgvm(v string)` + +SetIgvm sets Igvm field to given value. + +### HasIgvm + +`func (o *PayloadConfig) HasIgvm() bool` + +HasIgvm returns a boolean if a field has been set. + +### GetHostData + +`func (o *PayloadConfig) GetHostData() string` + +GetHostData returns the HostData field if non-nil, zero value otherwise. + +### GetHostDataOk + +`func (o *PayloadConfig) GetHostDataOk() (*string, bool)` + +GetHostDataOk returns a tuple with the HostData field if it's non-nil, zero value otherwise +and a boolean to check if the value has been set. + +### SetHostData + +`func (o *PayloadConfig) SetHostData(v string)` + +SetHostData sets HostData field to given value. + +### HasHostData + +`func (o *PayloadConfig) HasHostData() bool` + +HasHostData returns a boolean if a field has been set. [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md) diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/PlatformConfig.md b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/PlatformConfig.md index d8772c5e0a75..fc9242e17157 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/PlatformConfig.md +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/PlatformConfig.md @@ -4,12 +4,13 @@ Name | Type | Description | Notes ------------ | ------------- | ------------- | ------------- -**NumPciSegments** | Pointer to **int32** | | [optional] -**IommuSegments** | Pointer to **[]int32** | | [optional] -**SerialNumber** | Pointer to **string** | | [optional] -**Uuid** | Pointer to **string** | | [optional] -**OemStrings** | Pointer to **[]string** | | [optional] +**NumPciSegments** | Pointer to **int32** | | [optional] +**IommuSegments** | Pointer to **[]int32** | | [optional] +**SerialNumber** | Pointer to **string** | | [optional] +**Uuid** | Pointer to **string** | | [optional] +**OemStrings** | Pointer to **[]string** | | [optional] **Tdx** | Pointer to **bool** | | [optional] [default to false] +**Snp** | Pointer to **bool** | | [optional] [default to false] ## Methods @@ -180,6 +181,30 @@ SetTdx sets Tdx field to given value. HasTdx returns a boolean if a field has been set. +### GetSnp + +`func (o *PlatformConfig) GetSnp() bool` + +GetSnp returns the Snp field if non-nil, zero value otherwise. + +### GetSnpOk + +`func (o *PlatformConfig) GetSnpOk() (*bool, bool)` + +GetSnpOk returns a tuple with the Snp field if it's non-nil, zero value otherwise +and a boolean to check if the value has been set. + +### SetSnp + +`func (o *PlatformConfig) SetSnp(v bool)` + +SetSnp sets Snp field to given value. + +### HasSnp + +`func (o *PlatformConfig) HasSnp() bool` + +HasSnp returns a boolean if a field has been set. [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md) From 56a034893f112c3f9a52bf3a3f6744a767d61ed8 Mon Sep 17 00:00:00 2001 From: Manuel Huber Date: Tue, 1 Aug 2023 01:23:02 +0000 Subject: [PATCH 3/6] sanitize clh-snp.toml.in and clh.toml.in --- src/runtime/config/configuration-clh-snp.toml.in | 16 +++++++--------- src/runtime/config/configuration-clh.toml.in | 11 ++++++----- 2 files changed, 13 insertions(+), 14 deletions(-) diff --git a/src/runtime/config/configuration-clh-snp.toml.in b/src/runtime/config/configuration-clh-snp.toml.in index 645b36167825..fd12c25b2e4a 100644 --- a/src/runtime/config/configuration-clh-snp.toml.in +++ b/src/runtime/config/configuration-clh-snp.toml.in @@ -14,9 +14,6 @@ [hypervisor.clh] path = "@CLHSNPPATH@" igvm = "@IGVMPATH@" -#kernel = "@KERNELPATH_CLH@" -#image = "@IMAGEPATH@" -#initrd = "@INITRDSEVPATH@" # rootfs filesystem type: # - ext4 (default) @@ -33,7 +30,7 @@ rootfs_type=@DEFROOTFSTYPE@ # # Known limitations: # * Does not work by design: -# - CPU Hotplug +# - CPU Hotplug # - Memory Hotplug # - NVDIMM devices # @@ -43,7 +40,8 @@ rootfs_type=@DEFROOTFSTYPE@ # Default false confidential_guest = true -# enable SEV SNP VMs. This is not currently used by CLH +# enable SEV SNP VMs. +# This is not currently used by CLH sev_snp_guest = @DEFSNPGUEST@ # SNP guest policy @@ -222,9 +220,9 @@ block_device_driver = "virtio-blk" # and we strongly advise users to refer the Cloud Hypervisor official # documentation for a better understanding of its internals: # https://github.com/cloud-hypervisor/cloud-hypervisor/blob/main/docs/io_throttling.md -# +# # Bandwidth rate limiter options -# +# # net_rate_limiter_bw_max_rate controls network I/O bandwidth (size in bits/sec # for SB/VM). # The same value is used for inbound and outbound bandwidth. @@ -258,9 +256,9 @@ block_device_driver = "virtio-blk" # and we strongly advise users to refer the Cloud Hypervisor official # documentation for a better understanding of its internals: # https://github.com/cloud-hypervisor/cloud-hypervisor/blob/main/docs/io_throttling.md -# +# # Bandwidth rate limiter options -# +# # disk_rate_limiter_bw_max_rate controls disk I/O bandwidth (size in bits/sec # for SB/VM). # The same value is used for inbound and outbound bandwidth. diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in index bcaccd717c49..e0640d0f18ff 100644 --- a/src/runtime/config/configuration-clh.toml.in +++ b/src/runtime/config/configuration-clh.toml.in @@ -15,6 +15,7 @@ path = "@CLHPATH@" kernel = "@KERNELPATH_CLH@" image = "@IMAGEPATH@" +#initrd = "@INITRDPATH@" # rootfs filesystem type: # - ext4 (default) @@ -31,7 +32,7 @@ rootfs_type=@DEFROOTFSTYPE@ # # Known limitations: # * Does not work by design: -# - CPU Hotplug +# - CPU Hotplug # - Memory Hotplug # - NVDIMM devices # @@ -211,9 +212,9 @@ block_device_driver = "virtio-blk" # and we strongly advise users to refer the Cloud Hypervisor official # documentation for a better understanding of its internals: # https://github.com/cloud-hypervisor/cloud-hypervisor/blob/main/docs/io_throttling.md -# +# # Bandwidth rate limiter options -# +# # net_rate_limiter_bw_max_rate controls network I/O bandwidth (size in bits/sec # for SB/VM). # The same value is used for inbound and outbound bandwidth. @@ -247,9 +248,9 @@ block_device_driver = "virtio-blk" # and we strongly advise users to refer the Cloud Hypervisor official # documentation for a better understanding of its internals: # https://github.com/cloud-hypervisor/cloud-hypervisor/blob/main/docs/io_throttling.md -# +# # Bandwidth rate limiter options -# +# # disk_rate_limiter_bw_max_rate controls disk I/O bandwidth (size in bits/sec # for SB/VM). # The same value is used for inbound and outbound bandwidth. From ad4d4052cc76d19d19d226d4d369f15aac784204 Mon Sep 17 00:00:00 2001 From: Manuel Huber Date: Thu, 10 Aug 2023 22:36:58 +0000 Subject: [PATCH 4/6] Further changes required for SEV SNP enablement --- .../config/configuration-clh-snp.toml.in | 7 ++--- src/runtime/pkg/katautils/config.go | 1 + src/runtime/virtcontainers/clh.go | 26 ++++++++++++++----- 3 files changed, 24 insertions(+), 10 deletions(-) diff --git a/src/runtime/config/configuration-clh-snp.toml.in b/src/runtime/config/configuration-clh-snp.toml.in index fd12c25b2e4a..ff06ba3702df 100644 --- a/src/runtime/config/configuration-clh-snp.toml.in +++ b/src/runtime/config/configuration-clh-snp.toml.in @@ -84,8 +84,8 @@ enable_annotations = @DEFENABLEANNOTATIONS@ # List of valid annotations values for the hypervisor # Each member of the list is a path pattern as described by glob(3). # The default if not set is empty (all annotations rejected.) -# Your distribution recommends: @CLHVALIDHYPERVISORPATHS@ -valid_hypervisor_paths = @CLHVALIDHYPERVISORPATHS@ +# Your distribution recommends: @CLHSNPVALIDHYPERVISORPATHS@ +valid_hypervisor_paths = @CLHSNPVALIDHYPERVISORPATHS@ # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having @@ -190,7 +190,8 @@ block_device_driver = "virtio-blk" #enable_hugepages = true # Disable the 'seccomp' feature from Cloud Hypervisor, default false -# disable_seccomp = true +# TODO - to be re-enabled with next CH-SNP release. This is fixed but the fix is not yet released +disable_seccomp = true # This option changes the default hypervisor and kernel parameters # to enable debug output where available. diff --git a/src/runtime/pkg/katautils/config.go b/src/runtime/pkg/katautils/config.go index 6d5c01a8520b..d14a55a9c260 100644 --- a/src/runtime/pkg/katautils/config.go +++ b/src/runtime/pkg/katautils/config.go @@ -1113,6 +1113,7 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { EnableAnnotations: h.EnableAnnotations, DisableSeccomp: h.DisableSeccomp, ConfidentialGuest: h.ConfidentialGuest, + SevSnpGuest: h.SevSnpGuest, Rootless: h.Rootless, DisableSeLinux: h.DisableSeLinux, DisableGuestSeLinux: h.DisableGuestSeLinux, diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go index d81be8ef21b0..9fd1588f746e 100644 --- a/src/runtime/virtcontainers/clh.go +++ b/src/runtime/virtcontainers/clh.go @@ -73,7 +73,7 @@ const ( // Values based on: clhTimeout = 10 clhAPITimeout = 1 - clhAPITimeoutConfidentialGuest = 40 + clhAPITimeoutConfidentialGuest = 60 // Timeout for hot-plug - hotplug devices can take more time, than usual API calls // Use longer time timeout for it. clhHotPlugAPITimeout = 5 @@ -406,9 +406,21 @@ func (clh *cloudHypervisor) nydusdAPISocketPath(id string) (string, error) { } func (clh *cloudHypervisor) enableProtection() error { - protection, err := availableGuestProtection() - if err != nil { - return err + + protection := noneProtection + + // SNP protection explicitly requested by config + if clh.config.SevSnpGuest { + clh.Logger().WithField("function", "enableProtection").Info("SEVSNPGUEST") + protection = snpProtection + } else { + clh.Logger().WithField("function", "enableProtection").Info("NOSEVSNPGUEST") + // protection method not explicitly requested, using available method + availableProtection, err := availableGuestProtection() + if err != nil { + return err + } + protection = availableProtection } switch protection { @@ -431,6 +443,9 @@ func (clh *cloudHypervisor) enableProtection() error { return nil + case sevProtection: + return errors.New("SEV protection is not supported by Cloud Hypervisor") + case snpProtection: if clh.vmconfig.Platform == nil { clh.vmconfig.Platform = chclient.NewPlatformConfig() @@ -441,9 +456,6 @@ func (clh *cloudHypervisor) enableProtection() error { return nil - case sevProtection: - return errors.New("SEV protection is not supported by Cloud Hypervisor") - default: return nil //return errors.New("This system doesn't support Confidential Computing (Guest Protection)") From df8982c39e71e80fd67eccbf5e9b1062754eefd5 Mon Sep 17 00:00:00 2001 From: Manuel Huber Date: Fri, 11 Aug 2023 00:05:21 +0000 Subject: [PATCH 5/6] Remove unnecessary debug output --- src/runtime/virtcontainers/clh.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go index 9fd1588f746e..0fa88272cdff 100644 --- a/src/runtime/virtcontainers/clh.go +++ b/src/runtime/virtcontainers/clh.go @@ -411,10 +411,8 @@ func (clh *cloudHypervisor) enableProtection() error { // SNP protection explicitly requested by config if clh.config.SevSnpGuest { - clh.Logger().WithField("function", "enableProtection").Info("SEVSNPGUEST") protection = snpProtection } else { - clh.Logger().WithField("function", "enableProtection").Info("NOSEVSNPGUEST") // protection method not explicitly requested, using available method availableProtection, err := availableGuestProtection() if err != nil { From c9231c9e1995ae706cd5d13d3cf4ce14aa4d1ed4 Mon Sep 17 00:00:00 2001 From: Manuel Huber Date: Tue, 22 Aug 2023 00:21:33 +0000 Subject: [PATCH 6/6] Update outdated comment in config --- src/runtime/config/configuration-clh-snp.toml.in | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/runtime/config/configuration-clh-snp.toml.in b/src/runtime/config/configuration-clh-snp.toml.in index ff06ba3702df..3462dd9f3fe4 100644 --- a/src/runtime/config/configuration-clh-snp.toml.in +++ b/src/runtime/config/configuration-clh-snp.toml.in @@ -41,7 +41,9 @@ rootfs_type=@DEFROOTFSTYPE@ confidential_guest = true # enable SEV SNP VMs. -# This is not currently used by CLH +# This is used in the CLH code path to request SEV SNP encryption. The function availableGuestProtection (see hypervisor_linux_amd64.go) +# that detects guest protection features hypervisor_linux_amd64.go only supports QEMU/KVM platforms, and currently there is no way to +# detect SEV SNP support with CLH/MSHV. sev_snp_guest = @DEFSNPGUEST@ # SNP guest policy